Previously we bwrap-ed the whole our.rb script. In this commit we switch it so that our.rb is run outside of bwrap, but every user command it executes is done inside bwrap. This allows us to use bwrap's "--die-with-parent" (along with "--unshare-pid") to kill off any forked processes when the parent processes is killed due to a timeout.
		
			
				
	
	
		
			16 lines
		
	
	
		
			275 B
		
	
	
	
		
			Bash
		
	
	
		
			Executable File
		
	
	
	
	
			
		
		
	
	
			16 lines
		
	
	
		
			275 B
		
	
	
	
		
			Bash
		
	
	
		
			Executable File
		
	
	
	
	
| #!/usr/bin/env bash
 | |
| 
 | |
| DIR=$(dirname -- $0)
 | |
| OUR_CMDS_DIR=${OUR_CMDS_DIR:-/town/our}
 | |
| 
 | |
| /usr/bin/bwrap \
 | |
| 	--unshare-all \
 | |
| 	--ro-bind / / \
 | |
| 	--bind "$OUR_CMDS_DIR/data" "$OUR_CMDS_DIR/data" \
 | |
| 	--share-net \
 | |
| 	--dev /dev \
 | |
| 	--tmpfs /tmp \
 | |
| 	--unshare-pid \
 | |
| 	--die-with-parent \
 | |
| 	"$@"
 |